Archive old Changelog for log format change

1 files changed, 215 insertions, 947 deletions

diff --git a/Changelog b/Changelog
index 00908932..5fcca553 100644
--- a/Changelog
+++ b/Changelog
@@ -1,948 +1,216 @@
-* Wed Jul 25 2012 Chris PeBenito <selinux@tresys.com> - 2.20120725
-- Rename epollwakeup capability2 permission to block_suspend to match the
-  corresponding kernel capability rename.
-- Udev and init changes to support /run, from Sven Vermeulen.
-- auth_use_nsswitch updates from Miroslav Grepl.
-- Mount runtime files fix from Guido Trentalancia.
-- Update Python scripts to support Python 3, from Sven Vermeulen.
-- Update capability2 object class for new wake_alarm and epollwakeup
-  capabilities.
-- SEPostgresql updates from Kohei KaiGai.
-- Simplify file contexts based on file context path substitutions, from Sven
-  Vermeulen.
-- Add optional name for kernel and system filetrans interfaces.
-- Non-auth file attribute to eliminate set expressions, from James Carter.
-- Virt updates from Sven Vermeulen.
-- Various dontaudits from Sven Vermeulen.
-- Fix base module and monolithic role declaration ordering issue now that
-  role declarations must be explicit, from Harry Ciao.
-- Added contrib modules:
-	bacula (Stan Sander/Sven Vermeulen)
-	bcfg2 (Miroslav Grepl)
-	blueman (Miroslav Grepl)
+* Wed Apr 24 2013 Chris PeBenito <selinux@tresys.com> - 2.20130424
+Chris PeBenito (78):
+      Mcelog update from Guido Trentalancia.
+      Add bird contrib module from Dominick Grift.
+      Minor whitespace fix in udev.fc
+      Module version bump for udev binary location update from Sven Vermeulen.
+      clarify the file_contexts.subs_dist configuration file usage from Guido
+         Trentalancia
+      Update contrib.
+      Remove trailing / from paths
+      Module version bump for fc substitutions optimizations from Sven
+         Vermeulen.
+      Update contrib.
+      Module version bump for /run/dhcpc directory creation by dhcp from Sven
+         Vermeulen.
+      Module version bump for fc fixes in devices module from Dominick Grift.
+      Update contrib.
+      Module version bump for /dev/mei type and label from Dominick Grift.
+      Module version bump for init_daemon_run_dirs usage from Sven Vermeulen.
+      Module version bump for lost+found labeling in /var/log from Guido
+         Trentalancia.
+      Module version bump for loop-control patch.
+      Turn off all tunables by default, from Guido Trentalancia.
+      Add /usr/lib to TEST_TOOLCHAIN LD_LIBRARY_PATH.
+      Module version bump for various changes from Sven Vermeulen.
+      Module version bump for ports update from Dominick Grift.
+      Module version bump for Debian file context updates from Laurent
+         Bigonville.
+      Update contrib.
+      Update contrib.
+      split kmod fc into two lines.
+      Module version bump for kmod fc from Laurent Bigonville.
+      Module version bump for cfengine fc change from Dominick Grift.
+      Module verision bump for Debian cert file fc update from Laurent
+         Bigonville.
+      Module version bump for ipsec net sysctls reading from Miroslav Grepl.
+      Module version bump for srvloc port definition from Dominick Grift.
+      Rename cachefiles_dev_t to cachefiles_device_t.
+      Module version bump for cachefiles core support.
+      Module version bump for changes from Dominick Grift and Sven Vermeulen.
+      Module version bump for modutils patch from Dominick Grift.
+      Module version bump for dhcp6 ports, from Russell Coker.
+      Rearrange new xserver interfaces.
+      Rename new xserver interfaces.
+      Module version bump for xserver interfaces from Dominick Grift.
+      Move kernel_stream_connect() declaration.
+      Module version bump for kernel_stream_connect() from Dominick Grift.
+      Rename logging_search_all_log_dirs to logging_search_all_logs
+      Module version bump for minor logging and sysnet changes from Sven
+         Vermeulen.
+      Module version bump for dovecot libs from Mika Pflueger.
+      Rearrange interfaces in files, clock, and udev.
+      Module version bump for interfaces used by virt from Dominick Grift.
+      Module version bump for arping setcap from Dominick Grift.
+      Rearrange devices interfaces.
+      Module version bump/contrib sync.
+      Rearrange lines.
+      Module version bump for user home content fixes from Dominick Grift.
+      Rearrange files interfaces.
+      Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
+      Update contrib.
+      Whitespace fix in miscfiles.fc.
+      Adjust man cache interface names.
+      Module version bump for man cache from Dominick Grift.
+      Module version bump for Debian ssh-keysign location from Laurent
+         Bigonville.
+      Module version bump for userdomain portion of XDG updates from Dominick
+         Grift.
+      Module version bump for iptables fc entry from Sven Vermeulen and inn log
+         from Dominick Grift.
+      Module version bump for logging and tcpdump fixes from Sven Vermeulen.
+      Move mcs_constrained() impementation.
+      Module version bump for mcs_constrained from Dominick Grift.
+      Update contrib.
+      Module version bump from Debian changes from Laurent Bigonville.
+      Module version bump for zfs labeling from Matthew Thode.
+      Module version bump for misc updates from Sven Vermeulen.
+      Update contrib.
+      Module version bump for fixes from Dominick Grift.
+      Module version bump for Debian updates from Laurent Bigonville.
+      Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.
+      Update contrib
+      Fix fc_sort.c warning uncovered by recent gcc
+      Module version bump for chfn fixes from Sven Vermeulen.
+      Add swapoff fc entry.
+      Add conntrack fc entry.
+      Update contrib.
+      Update contrib
+      Archive old Changelog for log format change.
+      Bump module versions for release.
+
+Dominick Grift (40):
+      There can be more than a single watchdog interface
+      Fix a suspected typo
+      Intel® Active Management Technology
+      Declare a loop control device node type and label /dev/loop-control
+         accordingly
+      Declare port types for ports used by Fedora but use /etc/services for port
+         names rather than using fedora port names. If /etc/services does not
+         have a port name for a port used by Fedora, skip for now.
+      Remove var_log_t file context spec
+      svrloc port type declaration from slpd policy module
+      Declare a cachfiles device node type
+      Implement files_create_all_files_as() for cachefilesd
+      Restricted Xwindows user domains run windows managers in the windows
+         managers domain
+      Declare a cslistener port type for phpfpm
+      Changes to the sysnetwork policy module
+      Changes to the userdomain policy module
+      Changes to the bootloader policy module
+      Changes to the modutils policy module
+      Changes to the xserver policy module
+      Changes to various policy modules
+      Changes to the kernel policy module
+      For svirt_lxc_domain
+      For svirt_lxc_domain
+      For svirt_lxc_domain
+      For virtd lxc
+      For virtd_lxc
+      For virtd_lxc
+      For virtd lxc
+      For virtd lxc
+      For virtd
+      Arping needs setcap to cap_set_proc
+      For virtd
+      Changes to the user domain policy module
+      Samhain_admin() now requires a role for the role_transition from $1 to
+         initrc_t via samhain_initrc_exec_t
+      Changes to the user domain policy module
+      Label /var/cache/man with a private man cache type for mandb
+      Create a attribute user_home_content_type and assign it to all types that
+         are classified userdom_user_home_content()
+      These two attribute are unused
+      System logger creates innd log files with a named file transition
+      Implement mcs_constrained_type
+      Changes to the init policy module
+      Changes to the userdomain policy module
+      NSCD related changes in various policy modules
+
+Guido Trentalancia (1):
+      add lost+found filesystem labels to support NSA security guidelines
+
+Laurent Bigonville (21):
+      Add Debian locations for GDM 3
+      Add Debian location for udisks helpers
+      Add insmod_exec_t label for kmod executable
+      Add Debian location for PKI files
+      Add Debian location for ssh-keysign
+      Properly label all the ssh host keys
+      Allow udev_t domain to read files labeled as consolekit_var_run_t
+      authlogin.if: Add auth_create_pam_console_data_dirs and
+         auth_pid_filetrans_pam_var_console interfaces
+      Label /etc/rc.d/init.d/x11-common as xdm_exec_t
+      Drop /etc/rc.d/init.d/xfree86-common filecontext definition
+      Label /var/run/shm as tmpfs_t for Debian
+      Label /var/run/motd.dynamic as initrc_var_run_t
+      Label /var/run/initctl as initctl_t
+      udev.if: Call files_search_pid instead of files_search_var_lib in
+         udev_manage_pid_files
+      Label executables in /usr/lib/NetworkManager/ as bin_t
+      Add support for rsyslog
+      Label var_lock_t as a mountpoint
+      Add mount_var_run_t type and allow mount_t domain to manage the files and
+         directories
+      Add initrc_t to use block_suspend capability
+      Label executables under /usr/lib/gnome-settings-daemon/ as bin_t
+      Label nut drivers that are installed in /lib/nut on Debian as bin_t
+
+Matthew Thode (1):
+      Implement zfs support
+
+Mika Pflüger (2):
+      Debian locations of gvfs and kde4 libexec binaries in /usr/lib
+      Explicitly label dovecot libraries lib_t for debian
+
+Miroslav Grepl (1):
+      Allow ipsec to read kernel sysctl
+
+Paul Moore (1):
+      flask: add the attach_queue permission to the tun_socket object class
+
+Russell Coker (1):
+      Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for
+         client control
+
+Sven Vermeulen (27):
+      New location for udevd binary
+      Use substititions for /usr/local/lib and /etc/init.d
+      DHCP client's hooks create /run/dhcpc directory
+      Introduce init_daemon_run_dir transformation
+      Use the init_daemon_run_dir interface for udev
+      Allow initrc_t to create run dirs for core modules
+      Puppet uses mount output for verification
+      Allow syslogd to create /var/lib/syslog and
+         /var/lib/misc/syslog-ng.persist
+      Gentoo's openrc does not require initrc_exec_t for runscripts anymore
+      Allow init scripts to read courier configuration
+      Allow search within postgresql var directory for the stream connect
+         interface
+      Introduce logging_getattr_all_logs interface
+      Introduce logging_search_all_log_dirs interface
+      Support flushing routing cache
+      Allow init to set attributes on device_t
+      Introduce files_manage_all_pids interface
+      Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)
+      Update files_manage_generic_locks with directory permissions
+      Run ipset in iptables domain
+      tcpdump chroots into /var/lib/tcpdump
+      Remove generic log label for cron location
+      Postgresql 9.2 connects to its unix stream socket
+      lvscan creates the /run/lock/lvm directory if nonexisting (v2)
+      Allow syslogger to manage cron log files (v2)
+      Allow initrc_t to read stunnel configuration
+      Introduce exec-check interfaces for passwd binaries and useradd binaries
+      chfn_t reads in file context information and executes nscd
 
-* Wed Feb 15 2012 Chris PeBenito <selinux@tresys.com> - 2.20120215
-- Sshd usage of mkhomedir_helper via oddjob, from Sven Vermeulen.
-- Add slim and lxdm file contexts to xserver, from Sven Vermeulen.
-- Add userdom interfaces for user application domains, user tmp files,
-  and user tmpfs files.
-- Asterisk administration fixes from Sven Vermeulen.
-- Fix makefiles to install files with the correct DAC permissions if the
-  umask is not 022.
-- Remove deprecated support macros.
-- Remove rolemap and per-role template support.
-- Change corenetwork port declaration to apply the reserved port type
-  attribute only, when the type has ports above and below 1024.
-- Change secure_mode_policyload to disable only toggling of this Boolean
-  rather than disabling all Boolean toggling permissions.
-- Use role attributes to assist with domain transitions in interactive
-  programs.
-- Milter ports patch from Paul Howarth.
-- Separate portage fetch rules out of portage_run() and portage_domtrans()
-  from Sven Vermeulen.
-- Enhance corenetwork network_port() macro to support ports that do not have
-  a well defined port number, such as stunnel.
-- Opendkim support in dkim module from Paul Howarth.
-- Wireshark updates from Sven Vermeulen.
-- Change secure_mode_insmod to control sys_module capability rather than
-  controlling domain transitions to insmod.
-- Openrc and portage updates from Sven Vermeulen.
-- Allow user and role changes on dynamic transitions with the same
-  constraints as regular transitions.
-- New git service features from Dominick Grift.
-- Corenetwork policy size optimization from Dan Walsh.
-- Silence spurious udp_socket listen denials.
-- Fix unexpanded MLS/MCS fields in monolithic seusers file.
-- Type transition fix in Postgresql database objects from KaiGai Kohei.
-- Support for file context path substitutions (file_contexts.subs).
-- Added contrib modules:
-	glance (Dan Walsh)
-	rhsmcertd (Dan Walsh)
-	sanlock (Dan Walsh)
-	sblim (Dan Walsh)
-	uuidd (Dan Walsh)
-	vdagent (Dan Walsh)
-
-* Tue Jul 26 2011 Chris PeBenito <selinux@tresys.com> - 2.20110726
-- Fix role declarations to handle role attribute compilers.
-- Rename audioentropy module to entropyd due to haveged support.
-- Add haveged support from Sven Vermeulen.
-- Authentication file patch from Matthew Ife.
-- Add agent support to zabbix from Sven Vermeulen.
-- Cyrus file context update for Gentoo from Corentin Labbe.
-- Portage updates from Sven Vermeulen.
-- Fix init_system_domain() description, pointed out by Elia Pinto.
-- Postgresql selabel_lookup update from KaiGai Kohei.
-- Dovecot managesieve support from Mika Pfluger.
-- Semicolon after interface/template calls cleanup from Elia Pinto.
-- Gentoo courier updates from Sven Vermeulen.
-- Amavis patch for connecting to nslcd from Miroslav Grepl.
-- Shorewall patch from Miroslav Grepl.
-- Cpufreqselector dbus patch from Guido Trentalancia.
-- Cron pam_namespace and pam_loginuid support from Harry Ciao.
-- Xserver update for startx from Sven Vermeulen.
-- Fix MLS constraint for contains permission from Harry Ciao.
-- Apache user webpages fix from Dominick Grift.
-- Change default build.conf to modular policy from Stephen Smalley.
-- Xen refinement patch from Stephen Smalley.
-- Sudo timestamp file location update from Sven Vermeulen.
-- XServer keyboard event patch from Sven Vermeulen.
-- RAID uevent patch from Sven Vermeulen.
-- Gentoo ALSA init script usage patch from Sven Vermeulen.
-- LVM semaphore usage patch from Sven Vermeulen.
-- Module load request patch for insmod from Sven Vermeulen.
-- Cron default contexts fix from Harry Ciao.
-- Man page fixes from Justin Mattock.
-- Add syslog capability.
-- Support for logging in to /dev/console, from Harry Ciao.
-- Database object class updates and associated SEPostgreSQL changes from
-  KaiGai Kohei.
-- IPSEC SPD and Hadoop IPSEC updates from Paul Nuzzi.
-- Mount updates from Harry Ciao.
-- Semanage update for MLS systems from Harry Ciao.
-- Vlock terminal use update from Harry Ciao.
-- Hadoop CDH3 updates from Paul Nuzzi.
-- Add sepgsql_contexts appconfig files from KaiGai Kohei.
-- Added modules:
-	aiccu
-	bugzilla (Dan Walsh)
-	colord (Dan Walsh)
-	cmirrord (Miroslav Grepl)
-	mediawiki (Miroslav Grepl)
-	mpd (Miroslav Grepl)
-	ncftool
-	passenger (Miroslav Grepl)
-	qpid (Dan Walsh)
-	samhain (Harry Ciao)
-	telepathy (Dominick Grift)
-	tcsd (Stephen Smalley)
-	vnstatd (Dan Walsh)
-	zarafa (Miroslav Grepl)
-
-* Mon Dec 13 2010 Chris PeBenito <selinux@tresys.com> - 2.20101213
-- Git man page from Dominick Grift.
-- Alsa and oident home content cleanup from Dominick Grift.
-- Add support for custom build options.
-- Unconditional staff and user oidentd home config access from Dominick Grift.
-- Conditional mmap_zero support from Dominick Grift.
-- Added devtmpfs support.
-- Dbadm updates from KaiGai Kohei.
-- Virtio disk file context update from Mika Pfluger.
-- Increase bindreservport range to 512-1024 in corenetwork, from Dan Walsh.
-- Add JIT usage for freshclam.
-- Remove ethereal module since the application was renamed to wireshark.
-- Remove duplicate/redundant rules, from Russell Coker.
-- Increased default number of categories to 1024, from Russell Coker.
-- Added modules:
-	accountsd (Dan Walsh)
-	cgroup (Dominick Grift)
-	hadoop (Paul Nuzzi)
-	kdumpgui (Dan Walsh)
-	livecd (Dan Walsh)
-	mojomojo (Iain Arnell)
-	sambagui (Dan Walsh)
-	shutdown (Dan Walsh)
-	sosreport (Dan Walsh)
-	vlock (Harry Ciao)
-
-* Mon May 24 2010 Chris PeBenito <selinux@tresys.com> - 2.20100524
-- Merged a significant portion of Fedora policy.
-- Move rules from mta mailserver delivery from interface to .te to use
-  attributes.
-- Remove concept of users from terminal module interfaces since the
-  attributes are not specific to users.
-- Add non-drawing X client support, for consolekit usage.
-- Misc Gentoo fixes from Chris Richards.
-- AFS and abrt fixes from Dominick Grift.
-- Improved the XML docs of 55 most-used interfaces.
-- Apcupsd and amavis fixes from Dominick Grift.
-- Fix network_port() in corenetwork to correctly handle port ranges.
-- SE-Postgresql updates from KaiGai Kohei.
-- X object manager revisions from Eamon Walsh.
-- Added modules:
-	aisexec (Dan Walsh)
-	chronyd (Miroslav Grepl)
-	cobbler (Dominick Grift)
-	corosync (Dan Walsh)
-	dbadm (KaiGai Kohei)
-	denyhosts (Dan Walsh)
-	nut (Stefan Schulze Frielinghaus, Miroslav Grepl)
-	likewise (Scott Salley)
-	plymouthd (Dan Walsh)
-	pyicqt (Stefan Schulze Frielinghaus)
-	rhcs (Dan Walsh)
-	rgmanager (Dan Walsh)
-	sectoolm (Miroslav Grepl)
-	usbmuxd (Dan Walsh)
-	vhostmd (Dan Walsh)
-
-* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
-- Add separate x_pointer and x_keyboard classes inheriting from x_device. 
-  From Eamon Walsh.
-- Deprecated the userdom_xwindows_client_template().
-- Misc Gentoo fixes from Corentin Labbe.
-- Debian policykit fixes from Martin Orr.
-- Fix unconfined_r use of unconfined_java_t.
-- Add missing x_device rules for XI2 functions, from Eamon Walsh.
-- Add missing rules to make unconfined_cronjob_t a valid cron job domain.
-- Add btrfs and ext4 to labeling targets.
-- Fix infrastructure to expand macros in initrc_context when installing.
-- Handle unix_chkpwd usage by useradd and groupadd.
-- Add missing compatibility aliases for xdm_xserver*_t types.
-- Added modules:
-	abrt (Dan Walsh)
-	dkim (Stefan Schulze Frielinghaus)
-	gitosis (Miroslav Grepl)
-	gnomeclock (Dan Walsh)
-	hddtemp (Dan Walsh)
-	kdump (Dan Walsh)
-	modemmanager(Dan Walsh)
-	nslcd (Dan Walsh)
-	puppet (Craig Grube)
-	rtkit (Dan Walsh)
-	seunshare (Dan Walsh)
-	shorewall (Dan Walsh)
-	tgtd (Matthew Ife)
-	tuned (Miroslav Grepl)
-	xscreensaver (Corentin Labbe)
-
-* Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
-- Gentoo fixes for init scripts and system startup.
-- Remove read_default_t tunable.
-- Greylist milter from Paul Howarth.
-- Crack db access for su to handle password expiration, from Brandon Whalen.
-- Misc fixes for unix_update from Brandon Whalen.
-- Add x_device permissions for XI2 functions, from Eamon Walsh.
-- MLS constraints for the x_selection class, from Eamon Walsh.
-- Postgresql updates from KaiGai Kohei.
-- Milter state directory patch from Paul Howarth.
-- Add MLS constrains for ingress/egress and secmark from Paul Moore.
-- Drop write permission from fs_read_rpc_sockets().
-- Remove unused udev_runtime_t type.
-- Patch for RadSec port from Glen Turner.
-- Enable network_peer_controls policy capability from Paul Moore.
-- Btrfs xattr support from Paul Moore.
-- Add db_procedure install permission from KaiGai Kohei.
-- Add support for network interfaces with access controlled by a Boolean
-  from the CLIP project.
-- Several fixes from the CLIP project.
-- Add support for labeled Booleans.
-- Remove node definitions and change node usage to generic nodes.
-- Add kernel_service access vectors, from Stephen Smalley.
-- Added modules:
-	certmaster (Dan Walsh)
-	cpufreqselector (Dan Walsh)
-	devicekit (Dan Walsh)
-	fprintd (Dan Walsh)
-	git (Dan Walsh)
-	gpsd (Miroslav Grepl)
-	guest (Dan Walsh)
-	ifplugd (Dan Walsh)
-	lircd (Miroslav Grepl)
-	logadm (Dan Walsh)
-	pads (Dan Walsh)
-	pingd (Dan Walsh)
-	policykit (Dan Walsh)
-	pulseaudio (Dan Walsh)
-	psad (Dan Walsh)
-	portreserve (Dan Walsh)
-	sssd (Dan Walsh)
-	ulogd (Dan Walsh)
-	varnishd (Dan Walsh)
-	webadm (Dan Walsh)
-	wm (Dan Walsh)
-	xguest (Dan Walsh)
-	zosremote (Dan Walsh)
-
-* Wed Dec 10 2008 Chris PeBenito <selinux@tresys.com> - 2.20081210
-- Fix consistency of audioentropy and iscsi module naming.
-- Debian file context fix for xen from Russell Coker.
-- Xserver MLS fix from Eamon Walsh.
-- Add omapi port for dhcpcd.
-- Deprecate per-role templates and rolemap support.
-- Implement user-based access control for use as role separations.
-- Move shared library calls from individual modules to the domain module.
-- Enable open permission checks policy capability.
-- Remove hierarchy from portage module as it is not a good example of
-  hieararchy.
-- Remove enableaudit target from modular build as semodule -DB supplants it.
-- Added modules:
-	milter (Paul Howarth)
-
-* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
-- Debian update for NetworkManager/wpa_supplicant from Martin Orr.
-- Logrotate and Bind updates from Vaclav Ovsik.
-- Init script file and domain support.
-- Glibc 2.7 fix from Vaclav Ovsik.
-- Samba/winbind update from Mike Edenfield.
-- Policy size optimization with a non-security file attribute from James
-  Carter.
-- Database labeled networking update from KaiGai Kohei.
-- Several misc changes from the Fedora policy, cherry picked by David
-  Hardeman.
-- Large whitespace fix from Dominick Grift.
-- Pam_mount fix for local login from Stefan Schulze Frielinghaus.
-- Issuing commands to upstart is over a datagram socket, not the initctl
-  named pipe.  Updated init_telinit() to match.
-- Added modules:
-	cyphesis (Dan Walsh)
-	memcached (Dan Walsh)
-	oident (Dominick Grift)
-	w3c (Dan Walsh)
-
-* Wed Jul 02 2008 Chris PeBenito <selinux@tresys.com> - 20080702
-- Fix httpd_enable_homedirs to actually provide the access it is supposed to
-  provide.
-- Add unused interface/template parameter metadata in XML.
-- Patch to handle postfix data_directory from Vaclav Ovsik.
-- SE-Postgresql policy from KaiGai Kohei.
-- Patch for X.org dbus support from Martin Orr.
-- Patch for labeled networking controls in 2.6.25 from Paul Moore.
-- Module loading now requires setsched on kernel threads.
-- Patch to allow gpg agent --write-env-file option from Vaclav Ovsik.
-- X application data class from Eamon Walsh and Ted Toth.
-- Move user roles into individual modules.
-- Make hald_log_t a log file.
-- Cryptsetup runs shell scripts.  Patch from Martin Orr.
-- Add file for enabling policy capabilities.
-- Patch to fix leaky interface/template call depth calculator from Vaclav
-  Ovsik.
-- Added modules:
-	kerneloops (Dan Walsh)
-	kismet (Dan Walsh)
-	podsleuth (Dan Walsh)
-	prelude (Dan Walsh)
-	qemu (Dan Walsh)
-	virt (Dan Walsh)
-
-* Wed Apr 02 2008 Chris PeBenito <selinux@tresys.com> - 20080402
-- Add core Security Enhanced X Windows support.
-- Fix winbind socket connection interface for default location of the
-  sock_file.
-- Add wireshark module based on ethereal module.
-- Revise upstart support in init module to use a tunable, as upstart is now
-  used in Fedora too.
-- Add iferror.m4 rather generate it out of the Makefiles.
-- Definitions for open permisson on file and similar objects from Eric
-  Paris.
-- Apt updates for ptys and logs, from Martin Orr.
-- RPC update from Vaclav Ovsik.
-- Exim updates on Debian from Devin Carrawy.
-- Pam and samba updates from Stefan Schulze Frielinghaus.
-- Backup update on Debian from Vaclav Ovsik.
-- Cracklib update on Debian from Vaclav Ovsik.
-- Label /proc/kallsyms with system_map_t.
-- 64-bit capabilities from Stephen Smalley.
-- Labeled networking peer object class updates.
-
-* Fri Dec 14 2007 Chris PeBenito <selinux@tresys.com> - 20071214
-- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
-- Improve several tunables descriptions from Dan Walsh.
-- Patch to clean up ns switch usage in the policy from Dan Walsh.
-- More complete labeled networking infrastructure from KaiGai Kohei.
-- Add interface for libselinux constructor, for libselinux-linked
-  SELinux-enabled programs.
-- Patch to restructure user role templates to create restricted user roles
-  from Dan Walsh.
-- Russian man page translations from Andrey Markelov.
-- Remove unused types from dbus.
-- Add infrastructure for managing all user web content.
-- Deprecate some old file and dir permission set macros in favor of the
-  newer, more consistently-named macros.
-- Patch to clean up unescaped periods in several file context entries from
-  Jan-Frode Myklebust.
-- Merge shlib_t into lib_t.
-- Merge strict and targeted policies.  The policy will now behave like the
-  strict policy if the unconfined module is not present.  If it is, it will
-  behave like the targeted policy.  Added an unconfined role to have a mix
-  of confined and unconfined users.
-- Added modules:
-	exim (Dan Walsh)
-	postfixpolicyd (Jan-Frode Myklebust)
-
-* Fri Sep 28 2007 Chris PeBenito <selinux@tresys.com> - 20070928
-- Add support for setting the unknown permissions handling.
-- Fix XML building for external reference builds and headers builds.
-- Patch to add missing requirements in userdomain interfaces from Shintaro
-  Fujiwara.
-- Add tcpd_wrapped_domain() for services that use tcp wrappers.
-- Update MLS constraints from LSPP evaluated policy.
-- Allow initrc_t file descriptors to be inherited regardless of MLS level.
-  Accordingly drop MLS permissions from daemons that inherit from any level.
-- Files and radvd updates from Stefan Schulze Frielinghaus.
-- Deprecate mls_file_write_down() and mls_file_read_up(), replaced with
-  mls_write_all_levels() and mls_read_all_levels(), for consistency.
-- Add make kernel and init ranged interfaces pass the range transition MLS
-  constraints.  Also remove calls to mls_rangetrans_target() in modules that use
-  the kernel and init interfaces, since its redundant.
-- Add interfaces for all MLS attributes except X object classes.
-- Require all sensitivities and categories for MLS and MCS policies, not just
-  the low and high sensitivity and category.
-- Database userspace object manager classes from KaiGai Kohei.
-- Add third-party interface for Apache CGI.
-- Add getserv and shmemserv nscd permissions.
-- Add debian apcupsd binary location, from Stefan Schulze Frielinghaus.
-- Added modules:
-	application
-	awstats (Stefan Schulze Frielinghaus)
-	bitlbee (Devin Carraway)
-	brctl (Dan Walsh)
-
-* Fri Jun 29 2007 Chris PeBenito <selinux@tresys.com> - 20070629
-- Fix incorrectly named files_lib_filetrans_shared_lib() interface in the
-  libraries module.
-- Unified labeled networking policy from Paul Moore.
-- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
-- Xen updates from Dan Walsh.
-- Filesystem updates from Dan Walsh.
-- Large samba update from Dan Walsh.
-- Drop snmpd_etc_t.
-- Confine sendmail and logrotate on targeted.
-- Tunable connection to postgresql for users from KaiGai Kohei.
-- Memprotect support patch from Stephen Smalley.
-- Add logging_send_audit_msgs() interface and deprecate
-  send_audit_msgs_pattern().
-- Openct updates patch from Dan Walsh.
-- Merge restorecon into setfiles.
-- Patch to begin separating out hald helper programs from Dan Walsh.
-- Fixes for squid, dovecot, and snmp from Dan Walsh.
-- Miscellaneous consolekit fixes from Dan Walsh.
-- Patch to have avahi use the nsswitch interface rather than individual
-  permissions from Dan Walsh.
-- Patch to dontaudit logrotate searching avahi pid directory from Dan Walsh.
-- Patch to allow insmod to mount kvmfs and dontaudit rw unconfined_t pipes
-  to handle usage from userhelper from Dan Walsh.
-- Patch to allow amavis to read spamassassin libraries from Dan Walsh.
-- Patch to allow slocate to getattr other filesystems and directories on those
-  filesystems from Dan Walsh.
-- Fixes for RHEL4 from the CLIP project.
-- Replace the old lrrd fc entries with munin ones.
-- Move program admin template usage out of userdom_admin_user_template() to
-  sysadm policy in userdomain.te to fix usage of the template for third
-  parties.
-- Fix clockspeed_run_cli() declaration, it was incorrectly defined as a
-  template instead of an interface.
-- Added modules:
-	amtu (Dan Walsh)
-	apcupsd (Dan Walsh)
-	rpcbind (Dan Walsh)
-	rwho (Nalin Dahyabhai)
-
-* Tue Apr 17 2007 Chris PeBenito <selinux@tresys.com> - 20070417
-- Patch for sasl's use of kerberos from Dan Walsh.
-- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
-- Man page updates from Dan Walsh.
-- Two patches from Paul Moore to for ipsec to remove redundant rules and
-  have setkey read the config file.
-- Move booleans and tunables to modules when it is only used in a single
-  module.
-- Add support for tunables and booleans local to a module.
-- Merge sbin_t and ls_exec_t into bin_t.
-- Remove disable_trans booleans.
-- Output different header sets for kernel and userland from flask headers.
-- Marked the pax class as deprecated, changed it to userland so
-  it will be removed from the kernel.
-- Stop including netfilter contexts by default.
-- Add dontaudits for init fds and console to init_daemon_domain().
-- Patch to allow gpg to create user keys dir.
-- Patch to support kvmfs from Dan Walsh.
-- Patch for misc fixes in sudo from Dan Walsh.
-- Patch to fix netlabel recvfrom MLS constraint from Paul Moore.
-- Patch for handling restart of nscd when ran from useradd, groupadd, and
-  admin passwd, from Dan Walsh.
-- Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
-- Patch for setroubleshoot for validating file contexts from Dan Walsh.
-- Patch for gssd fixes from Dan Walsh.
-- Patch for lvm fixes from Dan Walsh.
-- Patch for ricci fixes from Dan Walsh.
-- Patch for postfix lmtp labeling and pickup rule fix from Dan Walsh.
-- Patch for kerberized telnet fixes from Dan Walsh.
-- Patch for kerberized ftp and other ftp fixes from Dan Walsh.
-- Patch for an additional wine executable from Dan Walsh.
-- Eight patches for file contexts in games, wine, networkmanager, miscfiles,
-  corecommands, devices, and java from Dan Walsh.
-- Add support for libselinux 2.0.5 init_selinuxmnt() changes.
-- Patch for misc fixes to bluetooth from Dan Walsh.
-- Patch for misc fixes to kerberos from Dan Walsh.
-- Patch to start deprecating usercanread attribute from Ryan Bradetich.
-- Add dccp_socket object class which was added in kernel 2.6.20.
-- Patch for prelink relabefrom it's temp files from Dan Walsh.
-- Patch for capability fix for auditd and networking fix for syslogd from
-  Dan Walsh.
-- Patch to remove redundant mls_trusted_object() call from Dan Walsh.
-- Patch for misc fixes to nis ypxfr policy from Dan Walsh.
-- Patch to allow apmd to telinit from Dan Walsh.
-- Patch for additional labeling of samba files from Stefan Schulze
-  Frielinghaus.
-- Patch to remove incorrect cron labeling in apache.fc from Ryan Bradetich.
-- Fix ptys and ttys to be device nodes.
-- Fix explicit use of httpd_t in openca_domtrans().
-- Clean up file context regexes in apache and java, from Eamon Walsh.
-- Patches from Dan Walsh:
-	Thu, 25 Jan 2007
-- Added modules:
-	consolekit (Dan Walsh)
-	fail2ban (Dan Walsh)
-	zabbix (Dan Walsh)
-
-* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
-- Add policy patterns support macros.  This changes the behavior of
-  the create_dir_perms and create_file_perms permission sets.
-- Association polmatch MLS constraint making unlabeled_t an exception
-  is no longer needed, patch from Venkat Yekkirala.
-- Context contains checking for PAM and cron from James Antill.
-- Add a reload target to Modules.devel and change the load
-  target to only insert modules that were changed.
-- Allow semanage to read from /root on strict non-MLS for
-  local policy modules.
-- Gentoo init script fixes for udev.
-- Allow udev to read kernel modules.inputmap.
-- Dnsmasq fixes from testing.
-- Allow kernel NFS server to getattr filesystems so df can work
-  on clients.
-- Patch from Matt Anderson for a MLS constraint exemption on a
-  file that can be written to from a subject whose range is
-  within the object's range.
-- Enhanced setransd support from Darrel Goeddel.
-- Patches from Dan Walsh:
-	Tue, 24 Oct 2006
-	Wed, 29 Nov 2006
-- Added modules:
-	aide (Matt Anderson)
-	ccs (Dan Walsh)
-	iscsi (Dan Walsh)
-	ricci (Dan Walsh)
-
-* Wed Oct 18 2006 Chris PeBenito <selinux@tresys.com> - 20061018
-- Patch from Russell Coker Thu, 5 Oct 2006
-- Move range transitions to modules.
-- Make number of MLS sensitivities, and number of MLS and MCS
-  categories configurable as build options.
-- Add role infrastructure.
-- Debian updates from Erich Schubert.
-- Add nscd_socket_use() to auth_use_nsswitch().
-- Remove old selopt rules.
-- Full support for netfilter_contexts.
-- MRTG patch for daemon operation from Stefan.
-- Add authlogin interface to abstract common access for login programs.
-- Remove setbool auditallow, except for RHEL4.
-- Change eventpollfs to task SID labeling.
-- Add key support from Michael LeMay.
-- Add ftpdctl domain to ftp, from Paul Howarth.
-- Fix build system to not move type declarations out of optionals.
-- Add gcc-config domain to portage.
-- Add packet object class and support in corenetwork.
-- Add a copy of genhomedircon for monolithic policy building, so that a
-  policycoreutils package update is not required for RHEL4 systems.
-- Add appletalk sockets for use in cups.
-- Add Make target to validate module linking.
-- Make duplicate template and interface declarations a fatal error.
-- Patch to stabilize modules.conf `make conf` output, from Erich Schubert.
-- Move xconsole_device_t from devices to xserver since it is
-  not actually a device, it is a named pipe.
-- Handle nonexistant .fc and .if files in devel Makefile by
-  automatically creating empty files.
-- Remove unused devfs_control_t.
-- Add rhel4 distro, which also implies redhat distro.
-- Remove unneeded range_transition for su_exec_t and move the
-  type declaration back to the su module.
-- Constrain transitions in MCS so unconfined_t cannot have
-  arbitrary category sets.
-- Change reiserfs from xattr filesystem to genfscon as it's xattrs
-  are currently nonfunctional.
-- Change files and filesystem modules to use their own interfaces.
-- Add user fonts to xserver.
-- Additional interfaces in corecommands, miscfiles, and userdomain
-  from Joy Latten.
-- Miscellaneous fixes from Thomas Bleher.
-- Deprecate module name as first parameter of optional_policy()
-  now that optionals are allowed everywhere.
-- Enable optional blocks in base module and monolithic policy.
-  This requires checkpolicy 1.30.1.
-- Fix vpn module declaration.
-- Numerous fixes from Dan Walsh.
-- Change build order to preserve m4 line number information so policy
-  compile errors are useful again.
-- Additional MLS interfaces from Chad Hanson.
-- Move some rules out of domain_type() and domain_base_type()
-  to the TE file, to use the domain attribute to take advantage
-  of space savings from attribute use.
-- Add global stack smashing protector rule for urandom access from
-  Petre Rodan.
-- Fix temporary rules at the bottom of portmap.
-- Updated comments in mls file from Chad Hanson.
-- Patches from Dan Walsh:
-	Fri, 17 Mar 2006
-	Wed, 29 Mar 2006
-	Tue, 11 Apr 2006
-	Fri, 14 Apr 2006
-	Tue, 18 Apr 2006
-	Thu, 20 Apr 2006
-	Tue, 02 May 2006
-	Mon, 15 May 2006
-	Thu, 18 May 2006
-	Tue, 06 Jun 2006
-	Mon, 12 Jun 2006
-	Tue, 20 Jun 2006
-	Wed, 26 Jul 2006
-	Wed, 23 Aug 2006
-	Thu, 31 Aug 2006
-	Fri, 01 Sep 2006
-	Tue, 05 Sep 2006
-	Wed, 20 Sep 2006
-	Fri, 22 Sep 2006
-	Mon, 25 Sep 2006
-- Added modules:
-	afs
-	amavis (Erich Schubert)
-	apt (Erich Schubert)
-	asterisk
-	audioentropy
-	authbind
-	backup
-	calamaris
-	cipe
-	clamav (Erich Schubert)
-	clockspeed (Petre Rodan)
-	courier
-	dante
-	dcc
-	ddclient
-	dpkg (Erich Schubert)
-	dnsmasq
-	ethereal
-	evolution
-	games
-	gatekeeper
-	gift
-	gnome (James Carter)
-	imaze
-	ircd
-	jabber
-	monop
-	mozilla
-	mplayer
-	munin
-	nagios
-	nessus
-	netlabel (Paul Moore)
-	nsd
-	ntop
-	nx
-	oav
-	oddjob (Dan Walsh)
-	openca
-	openvpn (Petre Rodan)
-	perdition
-	portslave
-	postgrey
-	pxe
-	pyzor (Dan Walsh)
-	qmail (Petre Rodan)
-	razor
-	resmgr
-	rhgb
-	rssh
-	snort
-	soundserver
-	speedtouch
-	sxid
-	thunderbird
-	tor (Erich Schubert)
-	transproxy
-	tripwire
-	uptime
-	uwimap
-	vmware
-	watchdog
-	xen (Dan Walsh)
-	xprint
-	yam
-
-* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
-- Make all interface parameters required.
-- Move boot_t, system_map_t, and modules_object_t to files module,
-  and move bootloader to admin layer.
-- Add semanage policy for semodule from Dan Walsh.
-- Remove allow_execmem from targeted policy domain_base_type().
-- Add users_extra and seusers support.
-- Postfix fixes from Serge Hallyn.
-- Run python and shell directly to interpret scripts so policy
-  sources need not be executable.
-- Add desc tag XML to booleans and tunables, and add summary
-  to param XML tag, to make future translations possible.
-- Remove unused lvm_vg_t.
-- Many interface renames to improve naming consistency.
-- Merge xdm into xserver.
-- Remove kernel module reversed interfaces.
-- Add filename attribute to module XML tag and lineno attribute to
-  interface XML tag.
-- Changed QUIET build option to a yes or no option.
-- Add a Makefile used for compiling loadable modules in a
-  user's development environment, building against policy headers.
-- Add Make target for installing policy headers.
-- Separate per-userdomain template expansion from the userdomain
-  module and add infrastructure to expand templates in the modules
-  that own the template.
-- Enable secadm only for MLS policies.
-- Remove role change rules in su and sudo since this functionality has been
-  removed from these programs.
-- Add ctags Make target from Thomas Bleher.
-- Collapse commands with grep piped to sed into one sed command.
-- Fix type_change bug in term_user_pty().
-- Move ice_tmp_t from miscfiles to xserver.
-- Login fixes from Serge Hallyn.
-- Move xserver_log_t from xdm to xserver.
-- Add lpr per-userdomain policy to lpd.
-- Miscellaneous fixes from Dan Walsh.
-- Change initrc_var_run_t interface noun from script_pid to utmp,
-  for greater clarity.
-- Added modules:
-	certwatch
-	mono (Dan Walsh)
-	mrtg
-	portage
-	tvtime
-	userhelper
-	usernetctl
-	wine (Dan Walsh)
-	xserver
-
-* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
-- Adds support for generating corenetwork interfaces based on attributes 
-  in addition to types.
-- Permits the listing of multiple nodes in a network_node() that will be
-  given the same type.
-- Add two new permission sets for stream sockets.
-- Rename file type transition interfaces verb from create to
-  filetrans to differentiate it from create interfaces without
-  type transitions.
-- Fix expansion of interfaces from disabled modules.
-- Rsync can be long running from init,
-  added rules to allow this.
-- Add polyinstantiation build option.
-- Add setcontext to the association object class.
-- Add apache relay and db connect tunables.
-- Rename texrel_shlib_t to textrel_shlib_t.
-- Add swat to samba module.
-- Numerous miscellaneous fixes from Dan Walsh.
-- Added modules:
-	alsa
-	automount
-	cdrecord
-	daemontools (Petre Rodan)
-	ddcprobe
-	djbdns (Petre Rodan)
-	fetchmail
-	irc
-	java
-	lockdev
-	logwatch (Dan Walsh)
-	openct
-	prelink (Dan Walsh)
-	publicfile (Petre Rodan)
-	readahead
-	roundup
-	screen
-	slocate (Dan Walsh)
-	slrnpull
-	smartmon
-	sysstat
-	ucspitcp (Petre Rodan)
-	usbmodules
-	vbetool (Dan Walsh)
-
-* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
-- Add unlabeled IPSEC association rule to domains with
-  networking permissions.
-- Merge systemuser back in to users, as these files
-  do not need to be split.
-- Add check for duplicate interface/template definitions.
-- Move domain, files, and corecommands modules to kernel
-  layer to resolve some layering inconsistencies.
-- Move policy build options out of Makefile into build.conf.
-- Add yppasswd to nis module.
-- Change optional_policy() to refer to the module name
-  rather than modulename.te.
-- Fix labeling targets to use installed file_contexts rather
-  than partial file_contexts in the policy source directory.
-- Fix build process to use make's internal vpath functions
-  to detect modules rather than using subshells and find.
-- Add install target for modular policy.
-- Add load target for modular policy.
-- Add appconfig dependency to the load target.
-- Miscellaneous fixes from Dan Walsh.
-- Fix corenetwork gen_context()'s to expand during the policy
-  build phase instead of during the generation phase.  
-- Added policies:
-	amanda
-	avahi
-	canna
-	cyrus
-	dbskk
-	dovecot
-	distcc
-	i18n_input
-	irqbalance
-	lpd
-	networkmanager
-	pegasus
-	postfix
-	procmail
-	radius
-	rdisc
-	rpc
-	spamassassin
-	timidity
-	xdm
-	xfs
-
-* Wed Oct 19 2005 Chris PeBenito <selinux@tresys.com> - 20051019
-- Many fixes to make loadable modules build.
-- Add targets for sechecker.
-- Updated to sedoctool to read bool files and tunable
-  files separately.
-- Changed the xml tag of <boolean> to <bool> to be consistent
-  with gen_bool().
-- Modified the implementation of segenxml to use regular
-  expressions.
-- Rename context_template() to gen_context() to clarify
-  that its not a Reference Policy template, but a support
-  macro.
-- Add disable_*_trans bool support for targeted policy.
-- Add MLS module to handle MLS constraint exceptions,
-  such as reading up and writing down.
-- Fix errors uncovered by sediff.
-- Added policies:
-	anaconda
-	apache
-	apm
-	arpwatch
-	bluetooth
-	dmidecode
-	finger
-	ftp
-	kudzu
-	mailman
-	ppp
-	radvd
-	sasl
-	webalizer
-
-* Thu Sep 22 2005 Chris PeBenito <selinux@tresys.com> - 20050922
-- Make logrotate, sendmail, sshd, and rpm policies
-  unconfined in the targeted policy so no special
-  modules.conf is required.
-- Add experimental MCS support.
-- Add appconfig for MLS.
-- Add equivalents for old can_resolve(), can_ldap(), and
-  can_portmap() to sysnetwork.
-- Fix base module compile issues.
-- Added policies:
-	cpucontrol
-	cvs
-	ktalk
-	portmap
-	postgresql
-	rlogin
-	samba
-	snmp
-	stunnel
-	telnet
-	tftp
-	uucp
-	vpn
-	zebra
-
-* Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907
-- Fix errors uncovered by sediff.
-- Doc tool will explicitly say a module does not have interfaces
-  or templates on the module page.
-- Added policies:
-	comsat
-	dbus
-	dhcp
-	dictd
-	hal
-	inn
-	ntp
-	squid
-
-* Fri Aug 26 2005 Chris PeBenito <selinux@tresys.com> - 20050826
-- Add Makefile support for building loadable modules.
-- Add genclassperms.py tool to add require blocks
-  for loadable modules.
-- Change sedoctool to make required modules part of base
-  by default, otherwise make as modules, in modules.conf.
-- Fix segenxml to handle modules with no interfaces.
-- Rename ipsec connect interface for consistency.
-- Add missing parts of unix stream socket connect interface
-  of ipsec.
-- Rename inetd connect interface for consistency.
-- Rename interface for purging contents of tmp, for clarity,
-  since it allows deletion of classes other than file.
-- Misc. cleanups.
-- Added policies:
-	acct
-	bind
-	firstboot
-	gpm
-	howl
-	ldap
-	loadkeys
-	mysql
-	privoxy
-	quota
-	rshd
-	rsync
-	su
-	sudo
-	tcpd
-	tmpreaper
-	updfstab
-
-* Tue Aug 2 2005 Chris PeBenito <selinux@tresys.com> - 20050802
-- Fix comparison bug in fc_sort.
-- Fix handling of ordered and unordered HTML lists.
-- Corenetwork now supports multiple network interfaces having the
-  same type.
-- Doc tool now creates pages for global Booleans and global tunables.
-- Doc tool now links directly to the interface/template in the
-  module page when it is selected in the interface/template index.
-- Added support for layer summaries.
-- Added policies:
-	ipsec
-	nscd
-	pcmcia
-	raid
-
-* Thu Jul 7 2005 Chris PeBenito <selinux@tresys.com> - 20050707
-- Changed xml to have modules encapsulated by layer tags, rather
-  than putting layer="foo" in the module tags.  Also in the future
-  we can put a summary and description for each layer.
-- Added tool to infer interface, module, and layer tags.  This will
-  now list all interfaces, even if they are missing xml docs.
-- Shortened xml tag names.
-- Added macros to declare interfaces and templates.
-- Added interface call trace.
-- Updated all xml documentation for shorter and inferred tags.
-- Doc tool now displays templates in the web pages.
-- Doc tool retains the user's settings in modules.conf and
-  tunables.conf if the files already exist.
-- Modules.conf behavior has been changed to be a list of all
-  available modules, and the user can specify if the module is
-  built as a loadable module, included in the monolithic policy,
-  or excluded.
-- Added policies:
-	fstools (fsck, mkfs, swapon, etc. tools)
-	logrotate
-	inetd
-	kerberos
-	nis (ypbind and ypserv)
-	ssh (server, client, and agent)
-	unconfined
-- Added infrastructure for targeted policy support, only missing
-	transition boolean support.
-
-* Wed Jun 15 2005 Chris PeBenito <selinux@tresys.com> - 20050615
-	- Initial release